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SMS, the forgotten Source of Intelligence 



♦ 3 billion users worldwide are sending 3 SMS per day in average 
(3.285.000.000.000 / year). 

♦ Mass Monitoring and Content Retention of SMS/MMS traffic is 
definitely a source of intelligence disregarded by many. 

♦ This session gives insight in the ways of intelligence gathering in this 
massive amount of data. 



Updated figures on Feb 2011 , worldwide: 

♦ SMS: estimated 3,300,000,000,000 

(https://scholar.sun.ac.za/bitstream/handle/1 001 9.1 /962/de villiers case study 2010.pdf) 

♦ Emails: average of 3,250,000 per second, approx. 85% SPAM 

( http://www.worldometers.info and Wikipedia) 

♦ Email accounts: 3,146,000,000 active accounts 

(Email Statistics Report, 2010, Radicati Group) 



© Utimaco Safeware AG 




Agenda 



♦ About Utimaco 

Who we are, what we do 

♦ Quick Recap 

► SMS 
Intelligence 

♦ Bringing both together 

Technical drivers 
System architecture 

♦ Generating Intelligence 

The questions 

► Ways to get the answers 

♦ Summary 



© Utimaco Safeware AG 



utimaco* 

a member of the Sophos Group 



utimaco 

a member of the Sophos Group 



Utimaco Safeware AG 

A member of the Sophos Group 




Sophos Group 



Utimaco Safeware AG 



Sophos PLC 



Lawful Interception 
Data Retention 




Hardware Security 
Modules 

Strong Encryption and 
Digital Signatures 




Endpoint Protection 
Information Security 

IT Governance and 
Compliance 






© Utimaco Safeware AG 



4 







Sophos Group 

Company Facts 




Utimaco Safeware AG 



■ Headquarters in Oberursel and Aachen, Germany 

■ 163 employees 

■ € 37.7 million revenues (fiscal year 10/11) 
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Sophos PLC 



■ Headquarters in Oxford, UK and 
Burlington, MA, USA 

■ 1 ,800 employees 

■ $ 340 million revenues (fiscal year 10/11) 




Sophos is a world leader 
in IT security and control 



5 








utimaco 




a member of the Sophos Group 



Quick Recap 



SMS 



Messages are sent to the SMSC which provides a "store and forward" mechanism. It 
attempts to send messages to the SMSC's recipients. If a recipient is not reachable, the 
SMSC queues the message for later retry (a "forward and forget" option exists also). 

Short messages can be encoded using a variety of alphabets: the default is GSM 7-bit, 
8-bit encoding, UTF-16 encoding are other options Depending on which alphabet the 
subscriber has configured in the handset, the maximum short message sizes of 160 7-bit 
characters, 140 8-bit characters, or 70 16-bit characters (including spaces). Characters 
in languages such as Arabic, Chinese, Korean, Japanese or Cyrillic alphabet languages 
(e.g. Russian, Serbian, Bulgarian, etc.) must be encoded using UTF-16. 

Concatenated SMS can be sent using multiple messages, in which case each message 
will start with a user data header (UDH) containing segmentation information. UDH is 
part of the payload. The receiving handset is then responsible for reassembling the 
message and presenting it to the user as one long message. Theory permits up to 255 
segments, 6 to 8 segment messages are the practical maximum. 
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Quick Recap 

Intelligence 

“Intelligence” has been defined in many ways within the LI and Investigations 
arena and sometimes “ Information” is misleadingly understood as 
intelligence. For us “Intelligence” is the extra that comes with information, 
something of added value explaining what that information may mean. Or in 
other words the step from knowing only facts to having insight into the context 
existing among them. 




What is Signals Intelligence? 
Customer f n pfronifient 



Applied 

Knowledge 

FactsVRelationships 
Discrete Facts 

rrrafflkjsj 

Bits'Streams 
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Electrical 

Impulses 
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Customer Target 




PROCESSING 



ANALYSIS 
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Bringing both together 

Technical drivers 



The technical drivers are usually 

♦ Number of SMSC‘s 

♦ Link type: HSL, 64kbit 

♦ Passive approach 

♦ Copy and forward 

♦ Amount of SMS 

♦ Additional sources like Cell-ID 

♦ 
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Bringing both together 

System architecture 



Operation 
& Administration 




Utimaco Data Retention Suite 
DRS Management Server 




cdr 

Mediation 

System 



Router 



Switch 



Location Subscriber 
Server Database 



Law Enforcement 
Agency 
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Data Analysis 
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Generating Intelligence: the questions (1/3) 

Search data containing specific values or similar values 

Results: 

♦ List of records containing the requested values 
Postprocessing: 

♦ Sorting 

♦ Filtering 

♦ Diagrams 

► Connections by time 

► Weighted links 

► Display in GIS 

♦ Export to file or print 

Examples: 

♦ Find all CDRs with phone no. 007123456 

♦ Find all user-IDs, phone no.s., IMEIs, IMSIs of person xyz 

♦ Find all CDRs with phone no. starting with 00712 

♦ Find all CDRs of originated at location xyz or in a radius of 10km 
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Generating Intelligence: the questions (2/3) 

Detect data with certain patterns 

Results: 

♦ List of records containing the defined pattern 
Postprocessing: 

♦ Sorting 

♦ Filtering 

♦ Aggregation 

♦ Diagrams: 

► Connections by time 

► Weighted links 

► Display in GIS 

♦ Export to file or print 
Examples: 

♦ Find all CDRs where EMEI and IMSI combination have changed more than x times (detect frequent 
handset changes) 

♦ Find relationship between phone no. x and phone no. Y 

♦ Find all CDRs which are frequently in location area xyz (e.g. more than 2 days a week or at a certain 
time of the day) 

♦ Find CDRs from subscribers which produce only unsuccessful call attempts but no call setup 
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Generating Intelligence: the questions (3/3) 

Start with all CDRs and drill down on certain data fields 

Results: 

♦ List of records 
Postprocessing: 

♦ Sorting 

♦ Filtering 

♦ Aggregation 

♦ Diagrams (for CDRs/lPDRs): 

► Connections by time 

► Weighted links 

► Display in GIS 

♦ Export to file or print 

Examples: 

♦ Find all CDRs in a certain time period to phone no. xyz -> sort/aggregate by number of 
CDRs from the same origin -> find subscriber contact details of selected CDRs 

♦ ..Social Network Analysis": Start with a set of CDRs and identify relationships by graphical 
analysis of connections 
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Generating Intelligence 

Ways to get the answer 
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Generating Intelligence 

Ways to get the answer 
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Summary 

Sun Tzu, “The Art of War” 

♦ “If you know neither yourself nor the enemy, you are a fool and will 
meet defeat in every battle.” 

Not knowing anything, is desperate 

♦ “If you know yourself but not the enemy, for every victory you will 
suffer a defeat.” 

Of course you need to know about your capabilities and limits; those of 
your officers and your tools 

♦ “If you know the enemy and know yourself, you need not fear the 
results of a hundred battles.” 

► This is the task in front, know your enemy 
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Dirk Schrader, Director Sales 
Business Unit LIMS 
Phone: +49 241 1696-226 
Dirk.Schrader@aachen.utimaco.de 

http://lims.utimaco.com 



© Utimaco Safeware AG 



16 




